?
Solved

How can I span my LAN subnet over MPLS using two Watchguard firewalls?

Posted on 2009-05-14
12
Medium Priority
?
1,949 Views
Last Modified: 2013-11-16
Hi all,

We have a VMWare ESX 3.5 environment at head office with a DR server in a co-lo. We want to use Vizioncore vReplicator to backup servers to the co-lo. The two sites are connected via a 10Mb MPLS routed link and I need to extend my local subnet so that the DR server has an IP address on our subnet for vReplicator to work fully.

We have a Watchguard X750e at head office and was told by Watchguard that if we bought an X550e for the co-lo, the Watchguards could span the subnet over the MPLS.

Now (after we've puchased the unit) Watchguard are backtracking and referring this to the
US. A week and a half later and I still don't have an answer.

Does anyone know if this is possible? If not with Watchguards, is there any other hardware of software that will let me do this?

It's very frustrating as we've made a significant investment on Watchguard's advice, only for them to mess us about now we're ready to implement their solution.

Any advice, greatly appreciated.

Thanks.


0
Comment
Question by:aimvicit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24392253
Just a few questions before we get started.
If I understand you correctly, you want to use the same ip range in your co-lo?
I presume your co-lo has already been set up with its own ip range or does it indeed have the same ip range as your HQ?
What is wrong with use aan routed subnet in your co-lo?
0
 

Author Comment

by:aimvicit
ID: 24392802
Hi,

You assume correct, the DR server needs to be on the same subnet as head office. vReplicator ideally needs to be configured with production and DR on the same subnet so you can fail-over to VM's in the DR without any issues with DNS trying to update over two subnets. For example, our Exchange server VM dies and we bring the DR VM up and in recommended configuration this would have the same name and IP. It is possible for it to just have the same name on a different IP, but not recommended for DNS reasons.  

A bridge would be ideal, but don't think the ISP can do it.

Thanks again.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1500 total points
ID: 24393463
I do not think that WG would route MPLS over VPN; if you have pure IP traffic then we can create a VPN tunnel between two endpoints with same IP subnet by configuring NAT over IPSec.

Can you advice if you do not do MPLS; and just configure simple VPN tunnel between the end points with NAT over IPSec so same subnet is not a problem, would this solution work for your or not.

Thank you.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24393928
Your wish includes APR broadcasts for the same ip to work after a failover. I think your better of with a good configured dns. For the DNS ussue you could think of very low TTL values.
0
 

Author Comment

by:aimvicit
ID: 24408252
Hi, are you suggesting using a different subnet with same DNS names? If so, that is a possible scenrio but not one Vizioncore recommend.

Thanks.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408288
If I understand correctly the MPLS is probably handled at both ends by a managed router from your ISP - is that the case? If so is the 550e in front of the managed router at the co-lo or is it the other way around?
0
 

Author Comment

by:aimvicit
ID: 24408384
Yes correct, the 550e will be in front of the managed router at the co-lo.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408483
Ok. If your Exchange server goes down and the backup server has to come online, will it be sending mail over the MPLS through the main office's internet connection or does it access the internet from the co-lo?
0
 

Author Comment

by:aimvicit
ID: 24408484
We would expect it to get email through the main office connection. We would only ever enable the internet access at the co-lo if we lost the main site (e.g. fire).

Thanks.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408534
Ok. You don't need the 550e to expand your subnet to the co-lo. You can just configure the server with the correct IP address. If you can't - then you need to escalate a ticket with your ISP to reconfigure your managed router at your co-lo.

I have a similar setup with WG 550e at corporate office and MPLS running to satellite office. Server @ satellite office connects to managed router and is setup on 192.168.10 subnet whereas corp office is 192.168.1 subnet. So it's a little but different - but I can't imagine that I could not just rename the server ip to 192.168.1.xxx and it would not work just the same.

If it doesnt, like i said, then there is a setting in the managed router that connects the two subnets and this would need to be changed by the ISP - I am not 100% on this part though b/c I didn't implement it.

I would get that working first then add the 550e back into the mix for your failover internet solution. I am pretty sure your internet and MPLS bandwidth are going to come into the co-lo on separate circuits, one of which would be connected to the 550e and one of which will connect to your managed router - then both of those would run into your switch, and then your server.

I don't think in any of this you need to configure the 550e to expand the subnet from the head office.

Let me know how it goes hope this helps.


 - Bob
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408542
But if your MPLS and internet at main office are the same provider chances of MPLS being up when internet is down are slim - so you might not need 550e at all.
0
 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24410031
Im indeed suggesting different subnet (which it already has) and you let de server register itself with dns, overwriting the current offline servers ip address with its own. I presume the server at the co-lo is truned off...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question